Added extra checks for VMWare and Wine.

2015-05-18 15:20:20 +01:00 · 2015-05-18 15:20:20 +01:00 · 01879489d4
parent b0a2aeeda3
commit 01879489d4
5 changed files with 47 additions and 0 deletions
--- a/pafish/main.c
+++ b/pafish/main.c
@ -221,6 +221,14 @@ int main(void)
 	}
 	else print_not_traced();

+	printf("[*] Reg key (HKCU\\SOFTWARE\\Wine) ... ");
+	if (wine_reg_key1() == TRUE) {
+		write_log("Wine traced using Reg key HKCU\\SOFTWARE\\Wine");
+		print_traced();
+		write_trace("hi_wine");
+	}
+	else print_not_traced();
+
 	/* VirtualBox detection tricks */
 	printf("\n[-] VirtualBox detection\n");
 	printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
@ -385,6 +393,14 @@ int main(void)
 	}
 	else print_not_traced();

+	printf("[*] Looking for pseudo devices ... ");
+	if (vmware_devices(TRUE) == TRUE) {
+		/* Log written inside function */
+		print_traced();
+		write_trace("hi_vmware");
+	}
+	else print_not_traced();
+
 	/* Qemu detection tricks */
 	printf("\n[-] Qemu detection\n");
 	printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
--- a/pafish/vmware.c
+++ b/pafish/vmware.c
@ -1,10 +1,12 @@

 #include <windows.h>
 #include <string.h>
+#include <stdio.h>

 #include "vmware.h"
 #include "types.h"
 #include "utils.h"
+#include "common.h"

 int vmware_reg_key1() {
 	if ( pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMWARE") ||
@ -27,3 +29,23 @@ int vmware_sysfile1() {
 int vmware_sysfile2() {
 	return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
 }
+
+int vmware_devices(int writelogs) {
+	HANDLE h;
+	const int count = 2;
+	string strs[count];
+	int res = FALSE, i = 0;
+	char message[200];
+
+	strs[0] = "\\\\.\\HGFS";
+	strs[1] = "\\\\.\\vmci";
+	for (i=0; i < count; i++) {
+		h = CreateFile(strs[i], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+		if (h != INVALID_HANDLE_VALUE) {
+			snprintf(message, sizeof(message)-sizeof(message[0]), "VMWare traced using device %s", strs[i]);
+			if (writelogs) write_log(message);
+			res = TRUE;
+		}
+	}
+	return res;
+}
--- a/pafish/vmware.h
+++ b/pafish/vmware.h
@ -10,4 +10,6 @@ int vmware_sysfile1();

 int vmware_sysfile2();

+int vmware_devices();
+
 #endif
--- a/pafish/wine.c
+++ b/pafish/wine.c
@ -3,6 +3,7 @@

 #include "wine.h"
 #include "types.h"
+#include "utils.h"

 int wine_detect_get_unix_file_name() {
 	HMODULE k32;
@ -19,3 +20,7 @@ int wine_detect_get_unix_file_name() {
 		return FALSE;
 	}
 }
+
+int wine_reg_key1() {
+	return pafish_exists_regkey(HKEY_CURRENT_USER, "SOFTWARE\\Wine");
+}
--- a/pafish/wine.h
+++ b/pafish/wine.h
@ -4,4 +4,6 @@

 int wine_detect_get_unix_file_name();

+int wine_reg_key1();
+
 #endif